Monday, March 17, 2008

Switch Port Security

If you are working in a strict security environment then switch port security is a must. Configuring switch port security could become a tidious task. However, if you can control the environment when you setup the network, this little trick can help you save a lot of work.

Instead of configuring port security and manually enter MAC address for the port, you could plug all your hosts in then issue the following commands:

Switch(config)#int range f0/1-xx
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if-range)#switchport port-security mac-address sticky

The first command takes you to the interface range configuration mode; the next two turn on the port security and set a maximum number of mac addresses to 1. "Violation restrict" will not allow traffic for any host whose mac address is different than what the switch has learned for the port in question. After that, the "mac-address sticky" commands instruct the switch to learn the mac address dynamically and remembers it for the each port.

No comments: